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Abstract 


In this paper, we present a new application for (7) oblivious transfer, which is an interactive protocol 


between two parties Alice and Bob, where Alice has n secrets and Bob has a query +. At the end of 
the protocol Bob has the ith secret and no other information about Alice’s other secrets, while Alice 
does not get any information about 2. This new application is the Secure Database Access problem. 
Motivated by this application, we propose an O'T scheme which achieves low communication complexity 
and information theoretic security. 

We use a distributed model for (7) oblivious transfer, where Bob interacts with multiple “Alices”. In 
this model, we base our scheme on any PIR scheme, which is a scheme where only the privacy of Bob is 
considered, and use it to construct an OT scheme, private for both parties, without paying too much in 
communication complexity. This results in the first sublinear information theoretic scheme for (7) OT. 


Further motivated by the application of (7) OT for polynomial n, we raise the issue of repetition 


in (7) OT, where both security and efficiency are important. We show that previous protocols for (7) 


oblivious transfer fail in this setting. 


*yael@theory.lcs.mit.edu 
ttal@theory.lcs.mit.edu 


1 Introduction 


(7) oblivious transfer (OT) is an interactive protocol between two parties Alice and Bob, where Alice has n 
secret bits and Bob has a query 7. At the end of the protocol Bob has the ith secret and no other information 
about Alice’s other secrets, while Alice does not get any information about 7. Previously, Oblivious Transfer 
has been proven to be a very important cryptographic primitive for applications such as secret exchange, 
contract signing, and non-interactive zero knowledge proofs for NP, to name a few [17, 12, 15, 8]. Given the 
nature of these applications, the (7) oblivious transfer protocol has always been used as a primitive within 
a larger two party or multi party computation, where n of a constant size was sufficient. 

In this paper, we offer a new direct application of (7) oblivious transfer in which the number of secrets n 
is polynomial. This application is the Secure Database Access problem, which involves a user who queries a 
database for the value in some location 7, such that the database does not learn anything about the user’s 
query 7, and the user does not learn anything about the database except for the value in a single location 7. 
This problem is equivalent to the (7) OT problem. 

The problem of secure database access, where security of both the user and database is considered, is a 
very natural problem, that arises in practice. For example, consider an investor who decides on a stock based 
on information he receives from a database containing stock information. In this scenario, it is likely that 
the user wishes to keep his choice of stock, or query, secret while the database would like to keep the stock 
information private to itself, except for the particular stock that the user has paid for. Clearly, security of 
both should be maintained. 

Having this application in mind, we are faced with a new problem in (7) OT that non of the existing 
implementations address: reducing the cost of communication complexity, or the total amount of bits trans- 
ferred between Alice and Bob, as n grows. Moreover, we want to achieve information theoretical security for 
both sides. In order to achieve these goals, we use a distributed model for (7) OT, where the user interacts 
with multiple secret holders who do not communicate with each other. 


Previous Work 


A naive solution to the Secure Database Access problem would be to use an already existing (7) OT protocol, 
such as [9, 14]. However, these protocols rely on cryptographic assumptions and their communication com- 
plexity is at least Q(n, &) where k is a security parameter. In contrast, our goals are to achieves information 
theoretic results and a communication complexity which is sublinear in n. 

Schemes that reduce the communication complexity were introduced for the Private Information Re- 
trieval problem [11, 2], in which the user’s query is protected by information theoretic security. This work 
achieved sublinear communication complexity by using a multi database model in which a constant number 
of databases rather than a single database are used. However, it does not achieve privacy for the database’s 
information, since the user can get additional information about the database, other than the value in a 
single location. Here, we show how data privacy can be added to any PIR protocol without paying too much 
in communication complexity. 

Another protocol called Instance Hiding [3, 4] allows for information theoretic security for both the user 
and the database, in a model where the database size n is exponential, and the number of databases needed 
is logarithmic. In contrast, here we consider n to be feasible (following the PIR model [11]), which allows us 
to achieve those results for a constant number of databases. 

[7, 16] show that any two party protocol can be achieved in the two-prover IP model without cryptographic 
assumptions, which implies a distributed model for (7) OT achieving information theoretic security. Although 
known reductions between (-) OT and (7) OT exist ([8, 12]), they cost a high price in communication 
complexity, and thus cannot be used to convert the [7] (-) OT protocol into a sublinear (7) OT protocol. 


Our Contribution 


e We show a direct application for (7) OT — the Secure Database Access problem. This is the first application 
where n is polynomial. This motivates a new range of problems in (7) OT, such as sublinear communication 
complexity, and repetitive OT (see below). 


e We suggest a new model for OT — distributed (7) OT, where n is polynomial, and there are multiple secret 
holders. This allows us to achieve the following properties: 


e We show an efficient (7) OT, using sublinear communication complexity. Specifically, starting from 
any private information retrieval protocol for constant k databases, we show a secure database access 
(equivalently, (7) oblivious transfer) protocol for k + 2 databases (“secret holders”), paying at most a 
logarithmic factor in communication complexity. 


For example, for k = 2, since currently the best known PIR protocol [2, 11] uses O(n?) communication, 
our scheme uses O(nt/3 log n) communication. The same scheme can be used to achieve polylogarith- 
mic communication complexity for a logarithmic number of databases. If we allow computational 
assumptions, our scheme can achieve O(n‘) communication complexity for any € > 0, using [10]. 


e Our scheme achieves an information theoretic OT which is not based on any cryptographic assumptions 
(which is impossible in the traditional non-distributed model). 


e We also raise the question of repetition in (7) oblivious transfer, namely we consider a scenario where 
multiple executions of (7) oblivious transfer are necessary, using the same n secrets. We examine whether 
existing implementations for (7) oblivious transfer allow for repetitive use maintaining security and efficiency. 


Surprisingly, the answer is negative. 


Organization 

In section 2 we give preliminaries and definitions of the already existing and our new model of (7) OT. Then, 
in section 3, we present our implementation — the Random Pointer scheme — which guarantees information 
theoretic security for both parties while maintaining the communication complexity low. These properties 
are proven in section 4. In section 5, we outline possible generalizations. In section 6 we present the new open 
problem that deals with repetitive executions of (7) OT, and show how existing (7) OT implementations 
are not adequate for this purpose. 


2 Preliminaries and Definitions 


2.1 Oblivious Transfer 


Oblivious transfer comes in various forms, including “standard” OT, (3) OT, and (7) OT. These variants 
are all equivalent, in the sense that reductions among them exist ([8, 12]). In this paper, we are interested 
in (7) oblivious transfer, which is defined as follows. 


(7) Oblivious Transfer: This is an interactive protocol between two parties Alice and Bob. In this 
protocol, Alice has n secret bits S,,...,.S,, and Bob has a selection index 7 € {1,...,n}. At the end of the 
protocol, the following three conditions hold. 


1. Bob learns the 7’th secret, S;. 
2. Bob gains no further information about the other secrets S; for j  @. 


3. Alice learns nothing about the value of 2. 


2.2. Distributed (") Oblivious Transfer 


As described above, the model used in the traditional oblivious transfer consists of two parties, Alice and 
Bob. Alice has n secret bits and Bob has a query which is an index to one of those secrets. Implementations of 
traditional OT were shown using cryptographic assumptions (such as the existence of one way functions [14]), 
noisy channels [15, 16], or quantum computation [6]. The need to make some computational assumption is 
inherent in this model, because Alice has access to the complete transcript of the communication between 
her and Bob, and thus she can, information theoretically, determine exactly what Bob can infer about her 


data. Thus, this model does not allow us to implement an information theoretic protocol. We overcome this 
inherent problem by moving from the traditional model to a distributed one, as follows. 

In the distributed OT model, the secret holder Alice is distributed into multiple holders who do not 
communicate with each other. More formally: 


(7) Distributed Oblivious Transfer: This is a protocol between & secret holders (“Alices”) Ai,..., Ag, 
holding n secret bits $,,...,S,, and one user Bob, holding a selection index i € {1,...,n}. The protocol is 
run in two stages: the setup stage, and the online stage. After the initial setup stage, no two Aj, Ay, j #1 
are allowed to communicate with each other. 

At the end of the protocol, the following three conditions hold. 


1. Bob learns the 7’th secret, S;. 
2. Bob gains no further information about the other secrets S; for 7 F 7. 


3. Vj, A; learns nothing about the value of 7. 


This distributed model allows us to obtain the following properties: 


Information theoretic OT Each Alice on her own, without communicating with the other Alices, receives 
a view which is completely independent of Bob’s query 7. Thus, no individual Alice can gain any 
information about 7. 

Note that this is impossible to achieve in the traditional OT model with a single Alice, since in this 
case Alice’s view is the same as Bob’s. 


Sublinear communication complexity The total amount of bits exchanged between all the Alices and 
Bob for one query is sublinear in n. 
All existing protocols in the traditional model fail to achieve this, because, since Bob’s query is to 
remain secret, they are based on Alice sending to Bob information regarding all her secrets (in a way 
that will allow Bob to recover only one of them), and thus existing protocols require communication 
complexity which is at least linear in the number of secrets. 


Note that by information theoretic OT we do not mean that the parties should be computationally 
unlimited in order to correctly execute the protocol, but rather that the security of the protocol is information 
theoretical. That is, polynomial computation power suffices to use the protocol, but even if the other side 
has unlimited computational power, she will not be able to extract more information than she was supposed 
to. 

Within the distributed OT model, we implement a protocol which solves our goals mentioned above. 
This protocol uses private information retrieval (PIR) as a subprotocol. Since in this paper we present the 
problem in the context of oblivious transfer, where we have a secret holder (Alice) instead of a database as in 
the PIR scheme, for clarity we rename the PIR scheme to semi-oblivious transfer. In semi-oblivious transfer, 
we let go of the second condition in the definition of OT, allowing Bob to possibly get more information 
about the secrets other than S;: 


(7) Distributed Semi-Oblivious Transfer: This is a protocol between & secret holders (“Alices” ) 
Aj,..., Ap, holding n secret bits S,,...,5,,, and one user Bob, holding a selection index i € {1,...,n}. The 
protocol is run in two stages: the setup stage, and the online stage. After the initial setup stage, no two 
A;, Al, j # bare allowed to communicate with each other. 

At the end of the protocol, the following two conditions hold. 


1. Bob learns the 7’th secret, S;. 
2. Vj, Aj learns nothing about the value of 7. 


These definitions may be extended in the natural way to deal with longer secrets, consisting of [ bits each. 
Notation: The communication complexity required for a (7) semi-oblivious transfer protocol for -bit 
secrets using k secret holders, is denoted by SOT; (1, n). 


2.3. Application: The Secure Database Access Problem 


n 
1 


direct application of (7) OT for a polynomial n. In this problem, there is a user who wants to retrieve some 
information from a database. We assume the data is a string of n bits, and the user is interested in the 7’th 
bit. The user wants to keep his interest 7 secret from the database, and the database does not want to give 
any additional information except one bit in a single location. At the end of the protocol, the user will have 
the 7’th bit, but no other information about any other bit, and the database will have no information about 
i. 


We describe here an application of ( ) oblivious transfer — the Secure Database Access problem, which is a 


Clearly, secure database access (where security of both the user and the database is considered) is 
equivalent to (7) oblivious transfer, and thus any solution for the latter will automatically translate into a 
solution for the former. 


3 The Random Pointer Scheme 


In this section we present a scheme that achieves sublinear communication complexity and information 
theoretic security in the distributed (7) oblivious transfer model. Our scheme uses any semi-oblivious scheme 
of & secret holders to obtain a distributed OT scheme with & + 2 secret holders, paying only a logarithmic 


factor in communication complexity. 


3.1 Overview 


We start by recalling that sublinear information-theoretical schemes for semi-oblivious transfer exist in a 
distributed model (using any private information retrieval scheme, such as [2, 11]). However, those schemes 
are only concerned with Bob’s privacy, and not Alice’s. That is, Bob can get more information about the 
secrets, in addition to just S;. Thus, in order to achieve privacy for both parties, we must prevent Bob from 
getting this extra information. 

We achieve this using the following idea: There are +2 secret holders: A,,..., Az, Ri, Ro. Those secret 
holders are not allowed to communicate amongst themselves. Ry and Rey each consist of a random string 
with an equal number of zeros and ones. Aj,..., Ax contain the original data and a copy of R, and Ro. 
During the final stage of the protocol Bob asks Ry and Re for their values at indices j and 1, Ri(j) and Ra(Q), 
respectively (where j and / are pointers to R’s contents that Bob obtained by communicating with the Aj;s). 
Using the values of those pointers Bob can compute the value of his query 


Ri(j) ® Ral) = 5; (1) 


The values of these pointers are chosen by A in such a way that a pair of pointers only gives information 
about at most one secret. bit. 

The rest of the interaction between Bob and Aj,..., Ax serves the purpose of allowing Bob to obtain an 
appropriate pair of indices (j,/) that satisfy (1), without revealing any information about his selection index 
t. This is done by running a distributed semi-oblivious transfer subprotocol in which Aj,..., Ax use n pairs 
of the form (j1, 41), (Ja, l2),.--, Jns tn) for the n secrets, and ¢ as the selection index of Bob. 

Using this general paradigm, we need to carefully adjust the details of the protocol so that it indeed 
implements sublinear, information theoretical, distributed (7) oblivious transfer. 

In order for Bob to receive the correct secret 5; in (1), the pairs used as secrets in the subprotocol must 


satisfy 
Ri (ir) ® Rolly) = Sp Wr € {1,...,7} (2) 


These secrets cannot be chosen deterministically, because (j;,4;) will be sent to R, and Ry respectively 
in the clear by Bob, so it should not reveal any information about his interest 7. Thus, A,,..., A; need to 
share some randomness (in our case, they share a few random permutations on n bits). 

Before turning to describing the details of the protocol, let us summarize the intuition behind this idea. 
Since the subprotocol that we want to use (semi-oblivious transfer) leaks excess information about A’s 
secrets, we run the subprotocol with secrets that will not contain any useful information for Bob. In our 


case, these are the pairs of locations of the form (j,,/-), which can be viewed as “pointers” to more useful 
information. These locations without the actual content of R 1, Re in these locations, give no information 
about the original secrets S),...,5,. However, these locations together with the content of R,, Rez in these 
locations, give the original secrets, as implied by (2). Since Bob is allowed to get only one value from each of 
Ry, and Re, we can prove that he does not get any information about the secrets, except for a single secret 
S;. In addition, privacy of Bob is still maintained, because he talks to Aj,..., Az, using SOT, and R,; and Re 
each get a uniformly distributed location. 


3.2 The Scheme 


This protocol is an interaction between Bob, holding a selection index 7, and distributed holders A;,..., Ax, 
Ry, Ro, where Aj,..., A, hold n secret bits S,...,.5, and R,, Ry hold random bits (see below). It uses as 
a subprotocol, call it P, a semi-oblivious transfer scheme (equivalently, private information retrieval), for k 
distributed holders. P should actually be a semi-oblivious scheme that transfers secrets which are strings, 
rather than single bits. This can always be achieved by simply repeating a (single-bit) semi-oblivious scheme 
for every bit in the string, or by using a more efficient scheme, such as the one described in [11]. For efficiency 
reasons, we require the subprotocol to run in time sublinear in n. 


Initial Setup for the Secret Holders At this stage we describe what contents each party gets. 


e fF, consists of a random string, chosen uniformly from all strings of n bits, with equal number of 0’s 
and 1’s. 


e Fs consists of a random string, chosen uniformly from all strings of 2n bits, with equal number of 0’s 
and 1’s. 


e Aj,..., A, each have the secrets $),...,5,, the contents of R,, Ry, and three random permutations 
™,75,75 :{1,...,n} = {1,...,n}. (The subscripts indicate whether the permutation will be used to 
find a location in R, or Re, and the superscripts indicate the value of the bit that should be found in 
that location). 


We stress that R, and Ry only need to contain a random string, and are not required to know the secrets of 
the protocol, or the random permutations which are shared by A,,..., Ag. 

After the initial setup stage, once Bob steps into the picture, the secret holders are not allowed to 
communicate with each other. 


(7) Oblivious Transfer Protocol (on-line stage) 
¢ Bob chooses three random shifts s1, 55,53 Eu {1,...,n} and sends them to each of Aj,..., Ag. 


e A,,...,Az each compute three new permutations o1,0$,04, which are 71,79, 74 shifted by 51, s$, 54 
respectively. That is, Vr € {1,...,n}, o1(r) = m1(r) + 51 (mod n), and similarly for 8 and of. 


e Aji,...,A% each compute n pairs (j1,l1), (jo, l2),---, Gns tn) from o1, 03,03, {$1 ..., Sn}, and the con- 
tent of Ri, Re, as follows: 


— jp = o1(r) for r = 1,...,n, hence all the j’s are chosen completely randomly. 


— l,’s (r =1,...,n) are chosen randomly so that the contents in the j locations and the / locations 
will xor to the secret bits. To do that, start by letting b = Ri(j,) @S, and m = 03(r). Note that 
in order to satisfy (2) we need to choose l, such that Ro(l,) = 6. Thus, we let 1, = the index of 
the m’th 6 in Re. That is, if b = 0 we choose l, to be the index of the m’th 0 in Ro, and similarly 
for 6 = 1. (Note that Ry has 2n bits, consisting of n 0’s and n 1’s. Thus, for any 6 € {0,1} and 
m€ {l1,...,n}, l, is well defined). 


e Aj,...,A,% and Bob run the subprotocol P with (j1, 41), (Je, l2),---; (nln) as the secrets, and ¢ as the 
selection index of Bob. At the end of the subprotocol, Bob has the pair (j,1) = (j:, &). 


e Bob sends j to R,, and! to Re. 


e R, sends Bob the bit Ry(j), and Ry sends to Bob Ra(l). 
¢ Bob computes the exclusive-or of these two values, yielding 5; = Ri(j) © Ra(l). 


The proofs for correctness, security, and efficiency properties of our protocol are presented in the next 
section. 


4 Analysis of the Random Pointer Scheme 


In this section we analyze the complexity and security of our protocol. In particular, we show that it achieves 
sublinear communication complexity, and that it satisfies the definition of distributed (7) oblivious transfer, 
including correctness and information theoretic security for both parties. 

Assumption: In the analysis, we consider any user Bob which may be malicious and deviate from the 
protocol. As for the secret holders, we first make the usual assumption that they want to send the secret 
to Bob, so that they won’t send junk instead of the real secrets!. However, if we limit ourselves to this 
assumption only, then if all of A,,..., Az and one of the R; collaborate during setup time, and deviate from 
the protocol during the online stage, then R; can get information about Bob’s query”. 

Thus, we need to make one of the following assumptions, in order to protect the privacy of Bob against the 
random holders R,, Ry. Either assume that the secret holders are honest but curious, namely they follow 
the protocol, but may try to extract as much information as possible about the identity of Bob’s query. 
Alternatively, we may make the assumption that the random holders (R1, R2) do not know the random 
permutations shared by A;,...,A,. This assumption is satisfied if we require that R,, Re do not get any 
communication from A;,..., A, during the setup stage. Under this assumption, all the secret holders may 
be malicious, and deviate from the protocol. This assumption is reasonable, since we can think of R,, Re 
as auxiliary databases (consisting of a random string), provided by an independent source, such as a special 
server for this purpose (and they may be determined in advance, independent of the secrets, or chosen later, 
after the secret holders chose their permutations). Note that these random holders do not need to know 
anything about the secrets, and no communication from the secret holders to the random holders is required 
at any stage of the protocol. 


4.1 Correctness and Obliviousness 


Notation: Denote our scheme by RP (random pointer scheme). RPp will denote our random pointer 
scheme when used with the underlying semi oblivious transfer protocol P. 

The following three theorems establish the required properties to prove that our random pointer scheme 
satisfies the definitions of distributed oblivious transfer. Recall that the definition consists of three properties 
that must hold at the end of the execution: (1) Bob learns S; for his selection index i (correctness); (2) Bob 
gains no further information about the other secrets S; for j # i (privacy of secret holders); and (3) Vj, A; 
learns nothing about the value of ¢ (privacy of recipient). 


Correctness 


Theorem 1 /f P is a semi-oblivious transfer scheme, then RPp is correct, t.e if Bob follows the protocol 
with selection index i, the value he obtains at the last step is the secret 5;. 


Proof: By reduction from the correctness of P, after running P with Aj,..., Az, Bob receives the pair 
(j,0) = (ji, ) corresponding to his selection index 7. From the way J; was constructed, it is a location in 


which Ry has the bit b= Ri(j) 6 S;. Thus, Ri(j) @ Re(l) = S; and Bob receives the correct secret Sj. 


1This is a common assumption in the OT model, and is quite natural, for example if we view the secret holders as a 
commercial database which sells data, and charges per query. 

?For example, they could agree on a fixed permutations to use, ignoring Bob’s shifts, and then when FR; receives the user’s 
query he knows which location it corresponds to, according to the fixed permutation. 


Privacy of secret holders 


Theorem 2 (informal statement) For any strategy Bob’ (possibly cheating), if all holders follow the 
protocol, Bob’ cannot get any information about more than one secret S; of his choice. 

To state the theorem formally and prove it, we define the view of Bob’ (for any strategy Bob’), and prove 
that its distribution is independent of all but one secrets. 

Let Bob’ be any strategy for the recipient. Bob’ runs a semi-oblivious subprotocol P with Aj,..., A, and 
the secrets (j1,41),---;(in,'n), at the end of which he receives (j;,/;) and possibly additional information 
about these secrets which the subprotocol leaks. We assume a worst case in which Bob’ receives the full 
information about all the secrets, namely he gets (j1, 41), (Jz, f2),.--, (gn, tn), and we show that even in this 
worst case, Bob’ cannot obtain any information about the real secrets $1,...,.5, other than a single secret 
S; of his choice. 

Let V(j,9 = [(f1,4),---; Gas ln), Ri(J), Ro(O], VV, 0 is the view received by a Bob’ who sends queries 
j,i to Ry, Ry respectively. (This is the assumption mentioned above. In reality, the view of Bob’ can be 
derived from V(j,/), but is possibly much smaller). Note that an honest Bob should set j = j;,/ = U;, but 
we allow a possibly cheating Bob’, who may choose arbitrary 7, l. 

Consider a partial view V~ = [(j1,41),.--, (ns ln), RiQ@)] where the last answer (from Ry) is omitted. 
Let D be the domain of all possible partial views V~. Thus, |D| = ant(?”). We will prove that the partial 
view V~ is uniformly distributed over D, and from this we will be able to prove that the distribution of the 
complete view V depends only on one secret. 

In what follows, the notation X ~ U[D] means that the random variable X is distributed uniformly over 
the domain D. 


Theorem 2 Vj,l, the distribution of V(j,0) may depend on at most one secret. More specifically, for any 
possible view V(jr, lt) € D x {0,1}, 


Ti if Rilir) @ Rally) = Sp 
l-e 
[D| 


ProblV (jr, tp) = 


otherwise 


1 


wheree = 1lifr=1r, ande = 5 - Css) ifr # rv’, and probabilities are taken over the choices of 


0 1 
11,75, 75, Ry, Ro. 


Note that from this theorem, if j,/ correspond to a pair (j,,/,) (as in the honest Bob case), then the 
view provides complete information about S, (since « = 1, so S, = Ri(j-) @ Ra(l,)), whereas if j,! do not 
correspond to such a pair, only partial information about S,- is provided (since there is a positive probability 
for both S$, = 0 and S, = 1). 

In either case, the last two components of the view contain information about the secret $,:, but the 
view does not depend on any other secret. 

We proceed with a sequence of lemmas that will prove the theorem, by gradually adding components to 
the view, while maintaining its independence of all secrets except S,:. The first three lemmas will establish 
the uniform distribution of the V~, and lemma 4 will complete the calculation for the last component in the 
view. 


Lemma 1 Vj, Ri(j) ~ U[{0,1}] (probability is taken over choice of Ry). 


Proof: Obvious, since R, is chosen uniformly from all strings of length n with half 0’s and half 1’s, and 
thus for any particular location j, Ri(j) is 0 or 1 with equal probability. 


Lemma 2 Vj, [j1,.--,jn | Ri(j)] ~ U[all permutations on {1,...,n}] (probability is taken over choice of 
m1). 


Proof: Since a, is a uniformly distributed permutation, so is o, = 7 + 81, namely (j1,...,jn) = 
(o1(1),...,01(%)) = (m(1) + 51,..., 71() + 51) is uniformly distributed over all permutations on {1,...,n} 
(recall that addition here is modulo n). 

This is true independent of Ri(j), and thus [j1,.-., jn | Ri(J)] = [1,---; Jn] is also uniformly distributed. 


Lemma 3 Vj, [h,...,dn| 2i(J), fi,---,5n] ~ U over all sequences of n distinct locations in {1,...,2n} 
(probability is taken over choices of Ry, Ro, 75,74). 


Proof: Given values Ri(j),J1,---;Jjn, we want to prove that every sequence l,...,l, is equally likely 
(i.e. uniform distribution). Fix an arbitrary R, with a suitable R,(j). This defines a sequence of bits 
{b, = Ri(r) @S, }?_,. Then, for r € {1,...,n}, t, is chosen to be the index of the m,’th bit with value 6, in 
Fy, where m, = os'(r). Thus, for any particular sequence 1),...,ln, Problh,...,ln | Ri, RaW), i, ---s Gn] = 
Prob|VWr : Ro(r) = bp A of'(r) = m, if l, is the m,’th bit with value 6, in Re]. This probability (for 
a fixed R,) is taken over Ry and w$,74. It is not necessary to calculate the exact probability to see that 
it is the same for each sequence [,,...,l,, since o§ and od are both uniformly distributed permutations 
(because of = 73 + 58). We have some number k of restrictions on the values of of and n — k restrictions 
on the values of c4, which yields a certain probability that these restrictions will be satisfied, regardless of 
the actual values l,,...,4, of the restrictions?. Thus for each sequence we have the same probability, and 
thus [41,...,¢n | Ri, Ri(J), j1,---;5n] ~ U over all sequences of n distinct locations in {1,...,2n}. (where 
probability is taken over the choice of R2, 73,74). This is true for any fixed R,, and thus it is also true when 
FR, is chosen randomly. 


Lemma 4 Vj =7,, /= 1, 


€ if Sw = Rilir] 
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wheree=1ifr=r’, ande= $ — Woy ifr #r'. (probability is taken over choices of Ry) 


Proof: Given Ri(jr),j1,---;Jn)4,---,ln, from the way the l.’s were chosen, Ro(l,) = Ri(jp') ® Sp, and 
thus Ro(l-) =0 <= > Ri(jp) = Sp. Therefore, 


Prob[Ra(ly) = 0| RiGir), Ja, . osJnsh, . 5b] = 
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ifr =r’and 5S. = Ry[j, 
0 ifr =r’and 5S. = Ry[j, 


For r = r’ this is obvious. For r # r’ this is true because R, is a random string of length n with $ O’s and 4 


l’s. Given Ri[j,], there are ("2") possible strings for R,, each equally probable. Out of those, the number 
2 
of possibilities where R,[j,] = S,+ is ("2°), if S.. = Ri[j-], and (2774) otherwise. 
2 2 
°For a direct calculation, it is not hard to check that the probability is 


(i) (mm 1 _ 
(a) nt on! 2")n! (2n)(2n —1)...(2n—n) 


n 


which is exactly the probability of uniformly selecting a sequence of n distinct locations in {1,...,2n}, as needed. 


Now it is easy to verify that Ce) = 5 - apo and (a) = $ + CSE which completes the proof of 
= = 


the lemma. 
Proof of Theorem 2: Vj = j,, =U, Vo7 = [(i1,4),---, Gn tn), Rie), Vo = [v7, Ro(l)], 


1 
|D| 


Prob(w) = Prob[Ri(j,)|- Problji,...,5n | RiGe)] - Prob[h,...,dn | RiGir), diy -- 3 dn] = 


since by lemmas 1,2,3 all three terms in the product are uniformly distributed over their domain of possible 
values, and therefore V~ is uniformly distributed over its domain D. Now, from lemma 4 we have that 


€ if R lp @B R L. = Sp 
probe |e“) = ile] © Rell 
1—e otherwise 


Combining these equations, we get 


| if Ri(jr) ® Ro(lpr) = Spr 
Prob{v] = Prob[v7] + Prob[v| v7] = ID Ur) 2(I,) 
otherwise 


which completes the proof of the theorem. 


Privacy of recipient 


We prove that the RP scheme is private for Bob, provided that the secret holders follow the protocol (honest 
but curious). As explained in the beginning of the section, this assumption can be removed if R,, Re do not 
know the random permutations, and a similar proof will work for that case. 


Theorem 3 /f P is a semi-oblivious transfer scheme, then RPp is recipient-private, t.e. for any honest-but- 
curious strategies Al,...,A,, Ri, Ry, if Bob follows the protocol for a selection index i, no secret holder can 
get any information about t. 


Proof: For A’, 1 <r < k, Bob’s communication with A} is identical to the communication in the underlying 
P, and therefore for these holders the theorem follows by reduction from the privacy of recipient for P. 

For Ri, the only communication RF gets is the index j = o1(¢) = m1(¢) + s1(mod n). Since s; is a random 
shift uniformly distributed in {1,...,n}, 7 is a uniformly distributed index in {1,...,n}, independent of 7. 
Thus, R{ cannot get any information about 7. 

For R5, the only communication Ry gets is the index J, which is the location of the m’th 6-bit in Re, where 
b= Ri(j) ® S;, and m = o$(z) = 78(z) + s8(mod n). Since we showed above j is uniformly distributed, and 
since R, has half 0’s and half 1’s, it follows that Ri(j) €u {0,1}, and therefore 6 Ey {0,1}, independent 
of i. m is uniformly distributed in {1,...,n} by randomness of the shift s$, as above. We showed that 6 
and m are both distributed independent of 7, in fact uniformly, and thus / is also uniformly distributed (in 
{1,...,2n}), independent of ¢. 


4.2 Complexity 


Space Complexity: R,, Ry require O(n) space, and A),..., Ay require O(n logn) space. Specifically, 
R, is a n-bit string*, Re is a 2n-bit string, and A,,..., A, each hold n secret bits, the same n+ 2n bits as 
in R, and Re, and 3logn! < 3nlogn bits for the three permutations, for a total of O(n log n) bits. 


Communication Complexity: Recall that SOT, (1, n) denotes the communication complexity required 
for a (7) semi-oblivious transfer protocol for Lbit secrets using & secret holders. 


“Even a slightly shorter log (iz )-bit string suffices, since we need to specify an n-bit string with equal number of 0’s and 1’s. 
2 


A similar observation holds for Ro. 
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Theorem 4 The random pointer scheme for k + 2 holders uses communication complexity of O(k logn) + 


SOT; (2logn + 1, n). 


Proof: The communication in this scheme consists of 3logn bits sent by Bob in the first step to each of 
Ai,..., Ax (indicating the three shifts 1,59, 54), logn +log2n bits sent by Bob in the last step to R, and 
Re (indicating the locations j,/ respectively), their two answer bits, and the communication required by the 
underlying semi-oblivious protocol P for n secrets of length logn + log2n = 2logn + 1 each (recall that 
the secrets for the underlying subprotocol are of the form (j1,41),..-;(ins, 4a) where j,,l. are location into 
n-bit and 2n-bit strings). Altogether, this gives (8k + 4) logn + 4+ SOT;,(2logn + 1,n) = O(klogn) + 
SOT; (2 logn + 1,n). 


Corollary 1 Starting from any semi-oblivious protocol, protecting Bob only, an (7) oblivious transfer pro- 
tocol protecting both sides can be constructed, paying a logarithmic factor in communication complexity. 


Proof: Clearly, an SOT;,(1,) protocol can be implemented by executing an SOT;,(1,”) protocol ! times, 
considering each bit in the secret. separately, one at a time®. Since in theorem 1 the dominating communi- 
cation complexity in the random pointer scheme is SOT; (2 logn + 1,), the corollary follows. 

We note that when a more efficient approach for SOT; (/,n) rather than the one bit at a time is pos- 
sible, it should be used to obtain further savings in communication. For example, [11] shows that when a 
semi-oblivious protocol satisfies a certain additivity condition on the reconstruction function for Bob, then 
SOT,(i,n) can be solved within / times the complexity of SOT, (1, 7+ 1) (see [11] for details). 

Using the best upper bounds known to date for semi-oblivious protocols, yields the following. 


Corollary 2 The random pointer scheme can be used with known subprotocols to achieve the following 
results: 


e k+2-holders scheme with communication complexity O(n logn), for every constant k. (For k = 2 


this is O(n logn)). 
e A scheme for a logarithmic number of holders, with polylogarithmic communication complexity. 


e A computational version (relying on the existence of one way functions) for a constant number of 
holders, with communication complexity of n*, for every «> 0. 


Proof: These results follow directly from combining the previous corollary with the known protocols of 
[11] for 2 databases, [2] for any constant number & of databases, [11] for logn + 1 databases, and the [10] 
computational protocol for 2 databases. 


5 Generalizations 


The random pointer scheme can be generalized to support more general variants of OT, such as privacy 
with respect to coalitions of secret holders, or oblivious transfer of secrets consisting of blocks of bits. In the 
following we show how an underlying SOT scheme P supporting the generalized variant, can be extended to 
a generalized OT scheme. 


5.1 Privacy With Respect to Coalitions 


So far we were concerned with the privacy of Bob with respect to each single holder (either an A or an 
R), assuming there is no communication between different holders. This protocol can be extended to allow 
privacy with respect to coalitions of up to ¢ holders who may communicate with each other. We say that 
a distributed (7) oblivious transfer scheme is t-private if no t holders together may obtain from their joint 
view any information about Bob’s selection index 7. Note that 1-private OT means the regular distributed 


(7) oblivious transfer as defined before. 


5Note that here we need not worry about a cheating Bob who may ask for different bits from different secrets at each 
execution, since this is a semi-oblivious protocol, meaning we only care about Bob’s privacy, and not Alice’s. 
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The random pointer scheme as described above achieves only l-privacy. There are three types of coalitions 
that could potentially violate the privacy of Bob, a coalition between the two R’s, a coalition between the 
Alices, and a coalition between a combination of Alices and R’s. 

In order to allow for coalitions of size t¢ between the R’s we increase the number of R’s to be ¢ + 1: 
Fyi,..., Ry corresponding to AR, in the original scheme, and +41 corresponding to Re in the original scheme. 
This way any coalition of up to ¢ random holders from R,,..., +41 is missing at least one random holder, 
and thus their view is uniformly distributed. 

In order to allow for coalitions of size t between the Alices we use an underlying SOT scheme which is 
t-private, such as the one suggested in [11]. 

In order to allow for coalitions of size t between A’s and R’s, we can extend the RP scheme to achieve 
t-privacy, by using the following idea: instead of having just one level of pointers from Alice to R, we propose 
to use t levels of pointers between Alice and R, such that at least ¢+ 1 holders will have to form a coalition 
in order to gain some information about the Bob’s query. Thus, if the 1-privacy scheme included & Alices 
and 2 R’s, we now have a level of & Alices, a level of t+ 1 R’s, and between them we use ¢ — | intermediate 
levels of secret holders called AR, where each level consists of k AR‘s. Altogether we use kt + ¢+ 1 holders, 
denoted as follows (next to each level of holders we denote the secret string associated with that level). 


Holders Secrets 
1 1 
Ay, cy Aj, [S1,-.-, Sn] 

2 2 2 pe 2 
AR;, sey AR, [r = 17, -- +5 Tn] 
t t t — pt t 
AR, ..., AR, [rtsrt,...i7rh,.] 


Ry,..., Ri, Regi. 


S1,..., 5p are the original secrets, and each rl is an independent random string of length 2n consisting of 
half 0’s and half 1’s. 

We denote the holders in the intermediate levels by AR because their role in the protocol is to play 
Alice’s role (like in the RP scheme), but their content consists of random bits, and thus they can be viewed 
as random holders, and don’t need to know the original secrets. 

The protocol follows the same idea as the basic RP scheme. Bob starts by running the SOT protocol P 
with the first level of holders, where the secrets used by the holders are pointers (indices) into the second 
level’s secret string corresponding to the original secrets. Thus, Bob semi-obliviously receives a pointer 72 
into r2 that he is now interested in. He runs P again with the second level holders, using ty as his selection 
index, and obtains a new index #3 into > and so on. After ¢ steps Bob has obtained a private index 7; into 
rt. He now runs P with the holders at level ¢, to receive ¢+ 1 pointers j1,..., J+, Jeqa into Ri,..., Ri, Regi 
respectively. Now he can ask each random holder for the value in the corresponding location, and xor the 
values to obtain his answer. 

The pointers used by the holders as secrets are obtained in the same manner as in the original scheme, 
namely via random permutations that are shared between the holders in each level, and are used to calculate 
pointers with a suitable bit value into the next level’s string. 

In order to make the above idea work, we need to make one additional modification. To see why, note 
that in the scheme described above, if one of the holders in level ¢ communicates with one of the random 
holders, they can find out which bit in rt Bob was interested in. This gives away the value of the bit of Bob’s 
interest (although not its index, since they don’t know the mappings from {Sj,...,.5,} to the string r‘). 

To solve this problem, before running P with a certain level J, Bob first sends a random bit 6; € {0,1} 
to all holders of that level. The holders xor all the secret bits with 6;, and proceed as above. At the end of 
the protocol, Bob xors 6; @...@ 0; and all the bits he received from Ry,..., R441 to obtain his desired bit. 

Now, any coalition of up to ¢t holders from different levels cannot contain one holder from each level 
and a random holder (since this would consist of t+ 1 holders), and thus cannot have all the permutations 
connecting the original secrets with the last level secrets and the location Bob has asked from the random 
holder, and thus cannot have any information about Bob’s original interest. 
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5.2 OT of Blocks of Secrets 


Another possible generalization, is the transfer of block secrets consisting of | > 1 bits each. Note, that unlike 
semi-oblivious transfer, this cannot be done simply by running the original scheme for each bit®. A simple 
way to extend the RP scheme to block secrets, is to change R, and Rz to consist of blocks of length /, so 
that Bob receives two indices of blocks in R, and Ry such that the xor of the two is the secret. 

In order for the original protocol and proof to follow through in this setting, Ry should contain n L-bit 
blocks, chosen randomly so that each possible block appears the same number of times. Re should contain 
n copies of each possible block, in random order, so it needs to have n2! [-bit blocks. 


6 Repetitive (7) Oblivious Transfer 


In the context of the Secure Database Access problem, repetitive executions of the Oblivious Transfer protocol 
are very desirable. By repetitive executions we mean that the protocol is used multiple times with the same 
secrets. In order to allow repetitions, two issues must be examined: 


Security: Executing the scheme & times will give Bob information about only & secrets of his choice, but 
no more than that, and will give Alice no information at all regarding Bob’s choices of secrets. This 
extends the traditional definition of (7) oblivious transfer which guarantees this for a single execution 


(k = 1). 


Efficiency: Executing the scheme & times can be done in a reasonable complexity. In particular, we want 

to achieve secure repetitive (7) oblivious transfer without recomputing the whole protocol from scratch 
with each execution of the protocol. 

For simplicity, we present repetitive oblivious transfer with respect to the standard model, with a single 

secret holder. It is easy to extend the notion to distributed repetitive oblivious transfer, similarly to our 


approach in the previous sections. 


Repetitive Oblivious Transfer: This is a protocol between Alice, who has n secret bits S1,..., Sp, 
and Bob who has a selection index i € {1,...,n}. We break the protocol into a setup stage, and an on-line 
stage. We say that the protocol is secure for k repetitions, if after performing the setup stage once and the 
on-line stage & times, with selection indices 7,,...,%% respectively, the following three conditions hold. 


1. Bob learns the secrets at his selection indices, namely S;,,...,5;,. 
2. Bob gains no further information about the other secrets S; , 7 Z {t1,..., tn}. 


3. Alice learns nothing about the values of 71,..., tx. 


Clearly, for the repetitive scenario it is desirable to have as much of the work load as possible done during 
the setup stage, so that the on-line stage (which is the one being repeated) is as efficient as possible. 

We inspect existing protocols, and show that they are not secure even for 2 executions, unless all the 
setup (such as choosing a one way function, etc) is computed from scratch every time, which makes it too 
inefficient for repetitive applications. 


6.1 Open Question 


In our scheme, it is clear that if all random strings of the secret holders are chosen independently every time, 
then the scheme can be repeated without losing privacy. This may be a reasonable solution for constant 
number of repetitions (since several random strings can be generated in advance), or for computational 
security (using short pseudo random seeds). However, it is too expensive if we require a large number of 
repetitions and insist on information theoretic security. 

Other existing schemes also fail to solve this problem, as we show below. Thus, the problem of designing 
a repetitive (efficient) (7) oblivious transfer protocol remains as an important and useful open problem, and 
we are currently working towards solutions in this directions. 


SIf we did this, Bob could ask for | different bits from different blocks, thus obtaining information dependent on more than 
one secret. 
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6.2 Problems with Repetition for Existing Protocols 


It is interesting to find out, that existing implementations of (7) oblivious transfer are generally not satis- 


factory for applications that require repetitions. In this section we look at some of the existing schemes and 
their repetition security. 


6.2.1 Oblivious Transfer Based on any One Way Trapdoor Function 


A general (7) oblivious transfer protocol based on any one way trapdoor function is described in [14]. In 
what follows we provide a brief sketch of the protocol, and show that it is not secure for repetitions. 


Sketch of Protocol: Alice and Bob agree on a one way trapdoor function f, and let B be a hard core 
predicate for f. Bob sends to Alice n numbers y,,...,Y,, where the one at his selection index 7 is of the 
form y; = f(#) for a randomly chosen a, and the other n — 1 numbers are chosen randomly. Alice gets the 
list y1,---,Yn and sends back $; 6 B(f~t(m1)),--.,Sn 6 B(f-1(yn))- Bob is able to find $;, which is the 
exclusive-or of two values he knows: B(f~'(y;)) = B(x) and B(f-'(y)) 6 S;. Bob cannot find any other 
secret S; for j Z i, since it is masked by B(f~'(y;) which Bob has no information about. 


Indeed, one application of the scheme gives Bob only one secret. However, applying the same scheme 
twice, gives Bob much more information than just 2 secrets (unless the one way function and hard core 
predicate are chosen afresh every single time). In fact, in two applications Bob can recover all the secrets, 
as follows. 


e First iteration of the scheme: Bob sends to Alice 


f(«), Y2, YB,-++5 Yn 


for random 2%, y2,..-, Yn 


e Bob receives from Alice 
21 = 5S, @ Ble), 2% = S20 Bf *(y2)), .--5 tn = Sn ® BUF" (Yn) 


¢ Bob calculates $1 = z, 6 B(x) 
e Second iteration of the scheme: Bob sends to Alice 


i 


Y2,---5Un, Y 


for a random y’ 


e Bob receives from Alice 

w, = S, & B(f7*(y2)),-- 5 Wn—-1 = Sn-1 B® BUF" (Yn), Wn = Sn © BUF" (y’)) 
e Bob calculates 

S2=22Gu10S1, s1=273 Gwe So, ..., So= Zn BWn-1®P Sn-1 


Bob has all n secrets now. 
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6.2.2. Oblivious Transfer Based on Quadratic Residuosity 


Brassard Crepeau and Robert [9] suggest a (7) oblivious transfer protocol based on the quadratic residuosity 


assumption (QR). This protocol has weaknesses in terms of repetition security, but it is much better than 
the previous one in this respect. 


Sketch of Protocol: Alice sends to Bob all secrets, encrypted (using QR). Bob selects the encrypted 
secret of his choice, and encrypts it again using his own key, and sends to Alice. Alice decrypts the value she 
had received, thus removing her encryption from it. The resulting value is sent to Bob, who can now remove 
his encryption from it as well, and get his desired secret. This idea as described above does not quite work 
yet, since Bob may get some other value (e.g. the xor of two secrets) rather than one of the secrets. To get 
around this problem, the protocol is modified such that Bob sends to Alice a value called a o—packet P,, 
together with a proof of validity for P,. (see [9] for details). 

The same P, may be used for repetitive applications of the scheme, achieving only partial security 
(e.g. Alice can tell whether Bob’s questions (selection indices) are all different or not). Using a new P, for 
every repetition avoids this leakage of information, but considerably increases the on line stage complexity. 


6.2.3. Non Interactive Oblivious Transfer 


A different flavor of oblivious transfer was introduced by Bellare and Micali [5], where the goal is to eliminate 
interaction from the oblivious transfer protocol. Their non interactive protocol violates the definition of 
repetition security, since Bob can hold only one selection index 7, and if the protocol is to be repeated, he 
will get the secret at the same location every single time. 


Sketch of Protocol: This protocol is based on the Diffie-Helman assumption. The idea is that Bob 
publishes a set of n public keys, such that he knows the discrete logarithm of exactly one of them (the 
protocol provides a way for Alice to make sure Bob cannot know the discrete logarithm of more than one 
of his public keys, relying on the Diffie-Hellman assumption). Now, to perform an oblivious transfer Alice 
sends the n secrets encrypted with the n public keys, and Bob can decrypt only the one corresponding to 
the public key whose discrete log he knows. 


Since the selection index of Bob is predetermined from the moment he publishes his public keys, it is 
clear that repeating the scheme & times, Bob will always have the same selection index (i.e. 4) =... = ¢, in 
our definition of repetitive oblivious transfer), and the scheme is not secure for repetitions. 
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